bitrat | b693010f3f342fb06dd959f2553b7937d5daeaf9b4b7fd800ed5a9a6d8a099e7

Analysis

max time kernel
23s
max time network
17s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SQLi v.8.5.exe
Size

12.7MB
MD5

d887c03a2d230dc196c8b3ac47030b9e
SHA1

b4d08bf36841ffdeb0750455021a707804f8d509
SHA256

b693010f3f342fb06dd959f2553b7937d5daeaf9b4b7fd800ed5a9a6d8a099e7
SHA512

6cee30d2448b930504f0933ca04e7f30fb3e1f2924d490146c0168308298d222cf5eb83885da405ba8fcd92b7f4979e23b4f9c706c936df5bfb52d2819022072
SSDEEP

196608:OhzlOFCwaHNFrXW+YrDkx/NNYz7vPmHpBt:2zMCwaHNlXW+Y/kx/TyPmj

Score

10^/10

bitrat persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.34

80.85.156.209:8080

Attributes

communication_password
ae5eb824ef87499f644c3f11a7176157
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 3 IoCs

Processes:

0.exepebloso.exepebloso.exe

pid process

2272 0.exe
3020 pebloso.exe
2584 pebloso.exe
Loads dropped DLL 3 IoCs

Processes:

SQLi v.8.5.exepebloso.exe

pid process

108 SQLi v.8.5.exe
108 SQLi v.8.5.exe
3020 pebloso.exe

pid	process
2272	0.exe
3020	pebloso.exe
2584	pebloso.exe

pid	process
108	SQLi v.8.5.exe
108	SQLi v.8.5.exe
3020	pebloso.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2584-24-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-25-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-23-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-21-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-28-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-34-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-35-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-37-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-38-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-40-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-41-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-43-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-46-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-44-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-47-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-49-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-50-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-52-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-53-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-54-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-56-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-60-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-58-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-64-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-61-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-67-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-68-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-75-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-77-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-79-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-83-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-85-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-90-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-88-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-96-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-102-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-94-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-93-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-91-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-87-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-81-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-80-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-73-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-72-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-97-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-99-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-100-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-145-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pebloso.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\shwifty = "C:\\users\\Admin\\AppData\\Local\\Temp\\shwifty.exe"	pebloso.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 pastebin.com
4 pastebin.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

pebloso.exe

pid process

2584 pebloso.exe
2584 pebloso.exe
2584 pebloso.exe
2584 pebloso.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

pebloso.exe

description pid process target process

PID 3020 set thread context of 2584 3020 pebloso.exe pebloso.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
NTFS ADS 2 IoCs

Processes:

pebloso.exe

description ioc process

File created C:\Users\Admin\AppData\Local:02-06-2024 pebloso.exe
File opened for modification C:\Users\Admin\AppData\Local:02-06-2024 pebloso.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0.exe

pid process

2272 0.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pebloso.exe

pid process

2584 pebloso.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

0.exepebloso.exe

description pid process

Token: SeDebugPrivilege 2272 0.exe
Token: SeDebugPrivilege 2584 pebloso.exe
Token: SeShutdownPrivilege 2584 pebloso.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

SQLi v.8.5.exepebloso.exe

pid process

108 SQLi v.8.5.exe
108 SQLi v.8.5.exe
2584 pebloso.exe
2584 pebloso.exe

flow	ioc
2	pastebin.com
4	pastebin.com

pid	process
2584	pebloso.exe
2584	pebloso.exe
2584	pebloso.exe
2584	pebloso.exe

description	pid	process	target process
PID 3020 set thread context of 2584	3020	pebloso.exe	pebloso.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local:02-06-2024	pebloso.exe
File opened for modification	C:\Users\Admin\AppData\Local:02-06-2024	pebloso.exe

pid	process
2272	0.exe

pid	process
2584	pebloso.exe

description	pid	process
Token: SeDebugPrivilege	2272	0.exe
Token: SeDebugPrivilege	2584	pebloso.exe
Token: SeShutdownPrivilege	2584	pebloso.exe

pid	process
108	SQLi v.8.5.exe
108	SQLi v.8.5.exe
2584	pebloso.exe
2584	pebloso.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

SQLi v.8.5.exepebloso.exe

description	pid	process	target process
PID 108 wrote to memory of 2272	108	SQLi v.8.5.exe	0.exe
PID 108 wrote to memory of 2272	108	SQLi v.8.5.exe	0.exe
PID 108 wrote to memory of 2272	108	SQLi v.8.5.exe	0.exe
PID 108 wrote to memory of 2272	108	SQLi v.8.5.exe	0.exe
PID 108 wrote to memory of 3020	108	SQLi v.8.5.exe	pebloso.exe
PID 108 wrote to memory of 3020	108	SQLi v.8.5.exe	pebloso.exe
PID 108 wrote to memory of 3020	108	SQLi v.8.5.exe	pebloso.exe
PID 108 wrote to memory of 3020	108	SQLi v.8.5.exe	pebloso.exe
PID 3020 wrote to memory of 2584	3020	pebloso.exe	pebloso.exe
PID 3020 wrote to memory of 2584	3020	pebloso.exe	pebloso.exe
PID 3020 wrote to memory of 2584	3020	pebloso.exe	pebloso.exe
PID 3020 wrote to memory of 2584	3020	pebloso.exe	pebloso.exe
PID 3020 wrote to memory of 2584	3020	pebloso.exe	pebloso.exe
PID 3020 wrote to memory of 2584	3020	pebloso.exe	pebloso.exe

C:\Users\Admin\AppData\Local\Temp\SQLi v.8.5.exe
"C:\Users\Admin\AppData\Local\Temp\SQLi v.8.5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:108

C:\Users\Admin\AppData\Local\Temp\0.exe
"C:\Users\Admin\AppData\Local\Temp\0.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Users\Admin\AppData\Local\Temp\pebloso.exe
"C:\Users\Admin\AppData\Local\Temp\pebloso.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Local\Temp\pebloso.exe
"C:\Users\Admin\AppData\Local\Temp\pebloso.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2584

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\0.exe
Filesize
2.3MB

MD5
f558500b09118c2d5482c0097d41b986

SHA1
ebdd90df103acb0a28a46b4affde511f5b0bb6d0

SHA256
4081a78ba280d28c56551983e515486a1dacf9ba26a3e76a71060982cc9e5ed7

SHA512
d4bfd969d7e8e0ff7aedf55ea69398ced8bd81dd2bde7e87a79d6890fa4b38d0275ceb8c72e20336d97bff2252cd904e27f8023b93dacf961d7345d18e0e7441

Download Submit
\Users\Admin\AppData\Local\Temp\pebloso.exe
Filesize
6.2MB

MD5
4d28de913b4b1e07f75c75e3cdd75add

SHA1
ce6735e3a3b68b904bda4ea150adfed689b8d18a

SHA256
e43d70c273c8c083b5368e6c8dfd74e403a3f6b5e263609497940bb94ecc6f01

SHA512
ea7bc0621977f6a9833c28945c41681c065073fb8b63e44118d772f0132dea60c6ed2c5129cb6072d5e315ee82e512bc54686adace9aa979e443b7803aa41a1a

Download Submit
memory/108-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/108-14-0x0000000000400000-0x00000000010C1000-memory.dmp

Filesize
12.8MB

Download
memory/2272-12-0x00000000003F0000-0x000000000064A000-memory.dmp

Filesize
2.4MB

Download
memory/2584-18-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2584-24-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-25-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-23-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-21-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-28-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-34-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-35-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-37-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-38-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-40-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-41-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-43-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-46-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-44-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-47-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-49-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-50-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-52-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-53-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-54-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-56-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-58-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-61-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-67-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-68-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-75-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-77-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-79-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-83-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-85-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-90-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-88-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-96-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-102-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-94-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-93-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-91-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-87-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-81-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-80-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-73-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-72-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-97-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-99-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-100-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-145-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3020-26-0x0000000000400000-0x0000000000A8E000-memory.dmp

Filesize
6.6MB

Download